Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / f8b8f64f4140333f2f6766f2a88fa7f902d5ef9d / . / net / ipv4 / netfilter / ipt_REJECT.c
blob: 1d16c0f28df00d17c38a52bfeff23c0a1bca0142 [file] [log] [blame]
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1/*
2 * This is a module which is used for rejecting packets.
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]3 */
4
5/* (C) 1999-2001 Paul `Rusty' Russell
6 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation.
11 */
Jan Engelhardtff67e4e2010-03-19 21:08:16 +0100[diff] [blame]12#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]13#include <linux/module.h>
14#include <linux/skbuff.h>
Tejun Heo5a0e3ad2010-03-24 17:04:11 +0900[diff] [blame]15#include <linux/slab.h>
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]16#include <linux/ip.h>
17#include <linux/udp.h>
18#include <linux/icmp.h>
19#include <net/icmp.h>
Jan Engelhardt6709dbb2007-02-07 15:11:19 -0800[diff] [blame]20#include <linux/netfilter/x_tables.h>
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]21#include <linux/netfilter_ipv4/ip_tables.h>
22#include <linux/netfilter_ipv4/ipt_REJECT.h>
Pablo Neira Ayuso1109a902014-10-01 11:19:17 +0200[diff] [blame]23#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]24#include <linux/netfilter_bridge.h>
25#endif
26
Eric Leblondcc70d062013-12-29 12:28:13 +0100[diff] [blame]27#include <net/netfilter/ipv4/nf_reject.h>
28
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]29MODULE_LICENSE("GPL");
30MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
Jan Engelhardt2ae15b62008-01-14 23:42:28 -0800[diff] [blame]31MODULE_DESCRIPTION("Xtables: packet \"rejection\" target for IPv4");
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]32
Jan Engelhardtd3c5ee62007-12-04 23:24:03 -0800[diff] [blame]33static unsigned int
Jan Engelhardt4b560b42009-07-05 19:43:26 +0200[diff] [blame]34reject_tg(struct sk_buff *skb, const struct xt_action_param *par)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]35{
Jan Engelhardt7eb35582008-10-08 11:35:19 +0200[diff] [blame]36 const struct ipt_reject_info *reject = par->targinfo;
Florian Westphalee586bb2015-02-16 18:54:04 +0100[diff] [blame]37 int hook = par->hooknum;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]38
YOSHIFUJI Hideakie905a9e2007-02-09 23:24:47 +0900[diff] [blame]39 switch (reject->with) {
40 case IPT_ICMP_NET_UNREACHABLE:
Florian Westphalee586bb2015-02-16 18:54:04 +0100[diff] [blame]41 nf_send_unreach(skb, ICMP_NET_UNREACH, hook);
YOSHIFUJI Hideakie905a9e2007-02-09 23:24:47 +0900[diff] [blame]42 break;
43 case IPT_ICMP_HOST_UNREACHABLE:
Florian Westphalee586bb2015-02-16 18:54:04 +0100[diff] [blame]44 nf_send_unreach(skb, ICMP_HOST_UNREACH, hook);
YOSHIFUJI Hideakie905a9e2007-02-09 23:24:47 +0900[diff] [blame]45 break;
46 case IPT_ICMP_PROT_UNREACHABLE:
Florian Westphalee586bb2015-02-16 18:54:04 +0100[diff] [blame]47 nf_send_unreach(skb, ICMP_PROT_UNREACH, hook);
YOSHIFUJI Hideakie905a9e2007-02-09 23:24:47 +0900[diff] [blame]48 break;
49 case IPT_ICMP_PORT_UNREACHABLE:
Florian Westphalee586bb2015-02-16 18:54:04 +0100[diff] [blame]50 nf_send_unreach(skb, ICMP_PORT_UNREACH, hook);
YOSHIFUJI Hideakie905a9e2007-02-09 23:24:47 +0900[diff] [blame]51 break;
52 case IPT_ICMP_NET_PROHIBITED:
Florian Westphalee586bb2015-02-16 18:54:04 +0100[diff] [blame]53 nf_send_unreach(skb, ICMP_NET_ANO, hook);
YOSHIFUJI Hideakie905a9e2007-02-09 23:24:47 +0900[diff] [blame]54 break;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]55 case IPT_ICMP_HOST_PROHIBITED:
Florian Westphalee586bb2015-02-16 18:54:04 +0100[diff] [blame]56 nf_send_unreach(skb, ICMP_HOST_ANO, hook);
YOSHIFUJI Hideakie905a9e2007-02-09 23:24:47 +0900[diff] [blame]57 break;
58 case IPT_ICMP_ADMIN_PROHIBITED:
Florian Westphalee586bb2015-02-16 18:54:04 +0100[diff] [blame]59 nf_send_unreach(skb, ICMP_PKT_FILTERED, hook);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]60 break;
61 case IPT_TCP_RESET:
Eric W. Biederman372892e2015-09-25 15:07:27 -0500[diff] [blame]62 nf_send_reset(par->net, skb, hook);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]63 case IPT_ICMP_ECHOREPLY:
64 /* Doesn't happen. */
65 break;
66 }
67
68 return NF_DROP;
69}
70
Jan Engelhardt135367b2010-03-19 17:16:42 +0100[diff] [blame]71static int reject_tg_check(const struct xt_tgchk_param *par)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]72{
Jan Engelhardtaf5d6dc2008-10-08 11:35:19 +0200[diff] [blame]73 const struct ipt_reject_info *rejinfo = par->targinfo;
74 const struct ipt_entry *e = par->entryinfo;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]75
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]76 if (rejinfo->with == IPT_ICMP_ECHOREPLY) {
Jan Engelhardtff67e4e2010-03-19 21:08:16 +0100[diff] [blame]77 pr_info("ECHOREPLY no longer supported.\n");
Jan Engelhardtd6b00a52010-03-25 16:34:45 +0100[diff] [blame]78 return -EINVAL;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]79 } else if (rejinfo->with == IPT_TCP_RESET) {
80 /* Must specify that it's a TCP packet */
Joe Perches3666ed12009-11-23 23:17:06 +0100[diff] [blame]81 if (e->ip.proto != IPPROTO_TCP ||
82 (e->ip.invflags & XT_INV_PROTO)) {
Jan Engelhardtff67e4e2010-03-19 21:08:16 +0100[diff] [blame]83 pr_info("TCP_RESET invalid for non-tcp\n");
Jan Engelhardtd6b00a52010-03-25 16:34:45 +0100[diff] [blame]84 return -EINVAL;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]85 }
86 }
Jan Engelhardtd6b00a52010-03-25 16:34:45 +0100[diff] [blame]87 return 0;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]88}
89
Jan Engelhardtd3c5ee62007-12-04 23:24:03 -0800[diff] [blame]90static struct xt_target reject_tg_reg __read_mostly = {
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]91 .name = "REJECT",
Jan Engelhardtee999d82008-10-08 11:35:01 +0200[diff] [blame]92 .family = NFPROTO_IPV4,
Jan Engelhardtd3c5ee62007-12-04 23:24:03 -0800[diff] [blame]93 .target = reject_tg,
Patrick McHardy1d5cd902006-03-20 18:01:14 -0800[diff] [blame]94 .targetsize = sizeof(struct ipt_reject_info),
95 .table = "filter",
Patrick McHardy6e23ae22007-11-19 18:53:30 -0800[diff] [blame]96 .hooks = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD) |
97 (1 << NF_INET_LOCAL_OUT),
Jan Engelhardtd3c5ee62007-12-04 23:24:03 -0800[diff] [blame]98 .checkentry = reject_tg_check,
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]99 .me = THIS_MODULE,
100};
101
Jan Engelhardtd3c5ee62007-12-04 23:24:03 -0800[diff] [blame]102static int __init reject_tg_init(void)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]103{
Jan Engelhardtd3c5ee62007-12-04 23:24:03 -0800[diff] [blame]104 return xt_register_target(&reject_tg_reg);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]105}
106
Jan Engelhardtd3c5ee62007-12-04 23:24:03 -0800[diff] [blame]107static void __exit reject_tg_exit(void)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]108{
Jan Engelhardtd3c5ee62007-12-04 23:24:03 -0800[diff] [blame]109 xt_unregister_target(&reject_tg_reg);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]110}
111
Jan Engelhardtd3c5ee62007-12-04 23:24:03 -0800[diff] [blame]112module_init(reject_tg_init);
113module_exit(reject_tg_exit);